Since February 2022, hundreds of Russian intelligence officers with diplomatic cover deployed at embassies and consulates in Europe were expelled back to Russia. This was to mark against the invasion of Ukraine and also to halt Russian intelligence operations on European soil. In the most insecure times since the Cold War, Russian espionage and other malicious activities, such as influence operations, pose a too great risk not to act. Without a doubt, these expulsions have been a significant blow to Russia. Even so, in early 2023, the Polish security service unveiled a large network of agents in Poland recruited by Russia’s military intelligence agency, the GRU.
The story behind the operation is as simple as it is spectacular, and it all started with cryptic job listings online. Quick cash was offered to people willing to post fliers in public spaces. But there was a catch. The messages on the fliers were, in fact, Russian propaganda. Still, some accepted these assignments, and for them, other tasks awaited: mapping harbors, airports, and railways where supplies to Ukraine were transferred.
Approximately 80 percent of Western military support passes through Poland, increasing the likelihood of Russian attacks to stop the support before it reaches Ukrainian military forces. But, to do so, they must know where and when the cargo is transported.
The people recruited were remarkably young, most of them in their twenties and one as young as 16. Remarkable because the typical spy is a middle-aged, well-educated man – not a young student. By then, it’s more likely for individuals to have reached a position where they have access to information of interest to foreign state actors. It’s also more likely for them to have developed a lifestyle or vulnerabilities that could be exploited by someone else. The agents in this network didn’t have access to any secrets, nor did they have the time to develop any vulnerabilities, but as young people often do – they needed money. The fact that they were young probably helped them fly under the radar when taking pictures of critical locations, placing cameras along the railway tracks, and planning for sabotage.
The reason the network was exposed was somewhat by coincidence. A passer-by noticed a camera in a tree and decided to report it to the police. When searching other areas more cameras were found, all of them in places where the cargo passed on its way to the Ukrainian front. By analyzing the cameras, they were able to say when they had been installed, and by checking cell phone activities, they were able to identify who had been in the area at the time. To summarize, due to poor Russian tradecraft and lack of necessary training of their agents, Polish authorities were able to identify the individuals in the network, which was then successfully dismantled.
The flip side of this story is that some of the recruited agents were Ukrainian refugees. For the GRU, this must have been somewhat of a win-win situation. If the agents were able to fulfil their assignments – excellent. If they got caught – fine. Even if this wasn’t intended as an influence operation, it might still have influenced some people’s will to support Ukraine.
Without being able to act through the Russian embassies, trade representations, and consulates – new ways of doing the job were expected. What might not have been expected, though, is how fast they were able to create a functional and operative network or the way it was organized.
From the very beginning, all was handled digitally; the approach took place on the encrypted platform Telegram, the delivery of assignments, the handover of collected intel, and even the payment in cryptocurrency. The network was also divided into separate cells to minimize the risk that one person could expose the others. The speed in recruiting people and the way the network was organized resembled how some terrorist groups have been able to quickly build an organization of individuals acting on their behalf.
Even though this method might be less sophisticated, it suits a purpose, and it has the potential to become very effective. Besides, this setup includes low or even no risk for the GRU and allows them to continue to operate on European soil even though they’re declared persona non grata. By now, they’ve most likely analyzed this less successful operation, which means they’ll have thoughts on how to adjust their modus operandi to avoid exposure the next time. One thing is for sure: there’ll be next times when networks like this will be used, and not only in Poland.
The threat from intelligence operations is always to be taken seriously, but even more so when the end goal might be to attack Europe. Even though espionage is conducted every day, using different methods such as signals intelligence, technical intelligence, and human intelligence, the need for intel certainly increases in times of unrest. It’s said that war creates spies , but intelligence gathering is not initiated on day one of a war; it’s something that starts much earlier.
The exposure in Poland is unique, but unique for how long? When will we see similar networks of agents in neighboring countries – or are they already in place? During the past years, there have been several arrests in Sweden where people have entered prohibited areas belonging to the Swedish Armed Forces or the defense industry, and drones have been spotted over nuclear power plants, airports, and harbors. Whether these are separate incidents or there is a pattern is for the authorities to say. But even though people have been caught red-handed and identified, it might still be difficult to find out who is really behind the information gathering. It might even be that the people arrested are not aware of it themselves.
Even though the people involved in the Polish network were randomly chosen individuals without specific access to the information needed, it might look different in other cases. Therefore, insider prevention activities should be a natural part when hiring a new employee or consultant to minimize the risk of having people on the inside who are vulnerable or have their loyalty elsewhere. The companies and organizations of interest are not only the obvious, such as the defense industry or the armed forces, but also our energy, water, and food supply, communications and transportation, political decisions, high-tech companies, and businesses that conduct R&D. We all have a responsibility to protect what needs to be protected.
Needless to say, there is no easy solution for how to stop espionage on European interests. But informing citizens how it works – who the threat actors are, the methods they use, and what kind of information they’re after – is crucial. Also, we must be clear on how we should act and where we should turn if we, as in the Polish case, find a hidden camera installed in a strategic location.